The apps.tls.automation.policies[*].subjects[*] has the wildcard domain which does fetch the wildcard certificate correctly too.
Also, this new domain comes much later after the first server initialization ( its loaded by the API ). By then, the background ACME runner already has the TLS certificate for the wildcard domain with it. ( I’m not sure whether the caching in the memory is there or not but I’m guessing it is there )
I too was hoping what you said, that the new host matcher should see the wildcard certificate already and not provision the new certificate, but that was not the case for me with at least 2 tries before I gave up.
Unfortunately, no, these sub-domains are dynamic and randomly chosen. It isn’t recorded anywhere.
( Reference : my use-case from the other thread, wrongly for on-demand, about random people picking their own sub-domains ).